Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, July 8
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»App protection policies»Internet access is blocked on 3rd party browsers on windows 10 devices that are applied with windows information protection (WIP) policies using intune

    Internet access is blocked on 3rd party browsers on windows 10 devices that are applied with windows information protection (WIP) policies using intune

    Eswar KonetiBy Eswar KonetiOctober 20, 4:59 pm2 Mins Read App protection policies 10,469 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Since few weeks i was working on office 365 stuff including o365 applications teams ,onedrive and managing the mobile devices +windows (MDM/MAM) using intune.

    while working on this ,i found that ,windows 10 devices that are applied with WIP policies ,internet is getting blocked (access denied) on 3rd party browsers like Google chrome,Firefox but it works fine on Edge, internet explorer browsers.

    If you are trying to access internet on Firefox,chrome or any other browser (except IE or edge) ,you will hit the following error.

    Internet Access is blocked

     

    To know more about windows information protection ,read TechNet article https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip

    To use 3rd party browsers such as Chrome,Firefox , we need to define a Cloud Resource rule and pass through the /*AppCompat*/ variable. This is because when an unenlightened app like chrome,Firefox tries to connect to a cloud resource through an IP, Windows cant determine if it is a corporate location or a personal location, so the default behaviour for Windows is to block all connections. To resolve this you will need to simply add Cloud Resources like below, which defines the cloud resource locations you want to make as corporate.

    To know more about how Unenlightened app, please read https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip

    image

    How do you allow 3rd party browsers to access internet  (this is not protecting the data on the application but just to allow internet access )?

    Login to www.portal.azure.com

    Go to intune app protection, click on App policy (intune app protection – app policy) ,click on the windows 10 compliance policy (you will notice windows on the platform)

    SNAGHTML601cae70

    On the windows 10 app protection policy ,click on Advanced settings –click on cloud resources

    SNAGHTML601dcce8

    Add |/*AppCompat*/ in the value field and click ok. There is no sequence to add this value ,you can add it anywhere .

    Once you add the value, make sure you have tick mark on the right-side to make sure the changes are valid.

    image

    Click save for advanced settings .

    Now users who are using the windows 10 devices should be able to access internet using 3rd party browses.

    Recommended reading

    https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip 

    https://docs.microsoft.com/en-au/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip

    Hope it helps!

    /*AppCompat*/ app protection policies chrome access denied cloud resources internet access denied intune network boundaries windows information protection WIP
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Exporting Intune Win32 Apps with All Properties Using PowerShell and Microsoft Graph

    June 30, 7:01 pm

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    6 Comments

    1. cole on August 24, 2022 2:28 PM

      Hi,

      I setup the WIP policy and 3rd party web browser are not blocked.
      I setup the Network perimeter according to the Microsoft document.
      And I haven' t setup the /*AppCompat*/ for the cloud resources.
      My experience is that I can still browse through Chrome and Firefox.

      Is the behavior changed or I have missed in my setup?

      Thanks
      Cole

      Reply
      • Eswar Koneti on March 12, 2023 2:54 AM

        Hi,
        I am not sure if there are changes to the WIP policy for 3rd party browsers but appcompat is required parameter , not sure if there was any changes to it lately.
        WIP is set to sunset and will be replaced by windows DLP. For more information, please read the MS documentation https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-end-of-support-guidance-for-windows-information/ba-p/3580091

        Thanks,
        Eswar

        Reply
    2. Justin on March 3, 2022 2:33 AM

      How do you publish intranet sites to app proxy?

      Reply
      • Eswar Koneti on March 3, 2022 7:42 PM

        Hi,
        You will need to install Azure AD app proxy connector on-premise close to the apps servers and publish the apps.
        you can follow this guide to publish the intranet site through app proxy. https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-connectors-with-proxy-servers

        Thanks,
        Eswar

        Reply
    3. Jagannath Vempati on November 13, 2018 12:03 PM

      Hi ,

      Great!! that worked .However intranet sites are still not working on Google Chrome after adding /*AppCompat*/.
      Suggestions please.

      Reply
      • Eswar Koneti on November 14, 2018 9:26 PM

        Hi,
        To access intranet sites using chrome on external networks, you must publish them via app proxy and try to use the external facing URL . You also need to add the extension of the app proxy that you configured into WIP policy.

        Thanks,
        Eswar

        Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.